Case Study – NatureCare


NatureCare Products is an Australian company based in Brisbane. The company commenced business in 1996 and manufactures and eco-friendly, high quality beauty skin care products. The business was established to cater for a growing demand for skin products that contain eco-friendly and natural ingredients. There is also an emphasis on eco-friendly packaging.

The company sells its products in health food shops across the country, as well as on-line through its own web site. The company targets customers that want high quality, eco-friendly products. Market research and NatureCare’s basic customer database has identified that around 70% of customers are professional women aged 25 to 55.

The company currently has a small range of products that include:

Cleansing creams to soothe skin during make-up removal. Primary ingredients include Shea butter to nourish the skin and plants extracts that are also rich in essential oils with regenerating and anti-inflammatory properties. This product will be for delicate and mature skins and could also be used as a baby cream.

Multi Protection Day Moisturizing Creams for dry to normal skin types that help protect the skin during the day and includes Shea butter and extracts from fragile green algae that provides hydrating and protective properties.

Regenerating facial scrub to clean off dead skin cells to promote regeneration of healthy new cells. This product will be used for most skin types.

The strategic objectives of the company are to increase market share by 20% At a recent board meeting the two company shareholders and the CEO discussed options for expanding the business and have decided to establish a chain of retail outlets in central Sydney, Brisbane and Melbourne within the next six months. The CEO has confirmed that the banks are willing to loan 70% of the capital required and the shareholders have committed to finding the remaining 30%.

The company is also currently developing more products focusing on a range of products to meet particular skin needs rather than a one-size fits all. The new products are timed to be ready for sale at the same time as the opening of the new retail outlets. Suppliers (based in China, Philippines and New Zealand) have all indicated their ability to supply and fill additional orders.

Currently the company employs the following staff: Accounts Manager, Marketing Manager, Marketing Assistant, Sales Manager, four customer service representatives, Office Manager, Administration Assistant, Operations Manager, Financial manager, Payroll administrator, Finance assistant (accounts payable and receivable etc.) as well as the CEO and two shareholders as indicated above.

As the Finance manager, the CEO has asked you to investigate the risks associated with this venture, with a particular focus on financial activities performed by the finance team. General activities and responsibilities of the finance team include payroll, banking, accounts payable (supplier payments), account receivable (customer receipts) and statutory compliance. Currently, due to the small size of the business, IT falls within the responsibility of the finance team but does not need to be assessed for risk.

Due to the quick timeframe allocated to establish the retail outlets, the CEO has asked all managers and the administration assistant to prioritise any requests you (Financial manager) make regarding the risk management task. The risk management process budget has made a $20 000 provision for a technology advancement (e.g. RPA) but any other spending should be kept to a minimum. The customer service representatives frequently move on to other opportunities and need to be recruited and replaced on a regular basis.

The company currently has a Risk Management Policy and Procedures in place that incorporates the AS/NZS ISO31000:2018 Risk Management Principles and Guidelines.

Information relevant to identify risks

At a team meeting, the Finance manager met with the payroll officer and finance administrator. Together they identified risks and associated outcomes.

The finance administrator was concerned that the theft of stock or cash from retail outlets would result in cashflow problems and criminal charges (negative publicity). A few of the treatment alternatives discussed included security cameras, using well referenced staff, doing frequent audits of the storage room and taking out insurance.

The payroll officer was mostly worried about an increase in the workload and wandered whether more staff should be employed.

The Finance manager had recently attended a professional development training session about using automated processes to do mundane finance related tasks (RPA). As such, he mentioned that due to an increased workload and demand on the finance staff, there would be incorrect invoicing of suppliers. This would result in delayed payment and weakening of the supplier relationship and may affect staff retention and work performance. Treatment alternatives that were discussed included to train and reward staff and to automate processes where necessary.

The payroll officer and finance administrator requested that priority be given to the increased work load on the finance team.

Information relevant to assessing the risks

At the same meeting (to identify risks), the finance manager asked the team to estimate the likelihood and impact (severity) of each risk:

Risk Potential outcome Finance Manager Payroll officer Finance assistant
Likelihood Impact Likelihood Impact Likelihood Impact
Theft of stock or cash from retail outlets cashflow problems 2 3 1 2 2 2
criminal charges 1 1 2 1 2 1
Incorrect invoicing of new suppliers delayed payment 4 2 2 2 1 2
weakening of the supplier relationship 4 3 3 3 3 3
Increased demand on payroll and accounts receivable/payable staff staff retention issues 3 3 2 2 3 2
work performance 3 3 3 4 4 3

Information relevant to monitoring and evaluating the risk management process/project

NatureCare stores were opened in Sydney, Brisbane and Melbourne within the six months requested by the CEO and the stores have been operating for three months.

An invoicing RPA system was implemented in the finance department one month after stores opened. There have been no invoicing issues since it was implemented. Implementation of the system cost $25 000.

After stores have opened and have been operating for three months, incidents recorded showed that there had been three instances of store room theft across three stores. The CEO has raised concerns that the risk management process did not adequately control this risk.

The finance administrator had taken seven days of sick leave since the implementation of RPA 2 months before (as opposed to an average of 1 per month in the past). When questioned about the leave, the finance administrator admitted to feeling overwhelmed by the new technology.

The operations manager mentioned at a recent executive team meeting that one of the regular container suppliers had merged with another company and would no longer be producing the containers NatureCare ordered.



Risk Management Policy and Procedures


To provide information and guidance on Risk Management. This Policy applies to all NatureCare Products employees.


The following principles form the foundation of the NatureCare Products Risk Management Policy and Procedures:

A commitment to implement risk management effectively:

NatureCare Products is committed to managing and minimising risk. This will be done by identifying, analysing, evaluating and treating risk exposure that may impact on NatureCare Products achieving its objectives and/or the efficiency and effectiveness of its operations.

NatureCare Products will incorporate risk management into its planning and decision-making processes and it must also be included as a consideration in operational planning as a delegated line management responsibility.

NatureCare Products staff must implement risk management according to relevant legislative requirements and appropriate risk management standards.

A commitment to training and knowledge development in the area of risk management:

NatureCare Products is committed to ensuring that all staff, particularly those with management, advisory and decision-making responsibilities, obtain a sound understanding of the principles of risk management and the requisite skills to implement risk management effectively.

A commitment to monitor performance and review progress in risk management:

NatureCare Products will regularly monitor and review the progress being made in developing an appropriate culture of risk management and the effective implementation of risk management strategies throughout the organisation as a basis for continuous improvement.


Risk must first and foremost be managed at the corporate level as part of the NatureCare Products good governance and corporate management processes. Risk management is considered an integral part of all management and decision-making functions within NatureCare Products. The responsibility for the identification of risk and the implementation of control strategies and follow up remains a delegated line management responsibility. All stakeholders have a significant role in the management of risk. This role may range from initially identifying and reporting risks associated with their own jobs to participation in the risk management process.

Aims and Objectives

NatureCare Products aims to integrate risk management into the management culture of NatureCare Products and foster an environment where staff assume responsibility for managing risks.

To secure its commitment to implement risk management effectively, NatureCare Products aims to implement risk management across all aspects of NatureCare Products in accordance with best practice guidelines.

To secure its commitment to training and knowledge development in the area of risk management, NatureCare Products aims to ensure that performance in risk management is a consideration in the NatureCare Products’ performance management systems and other stakeholders have access to appropriate information, training and other development opportunities in the area of risk management.

To secure its commitment to monitoring performance and reviewing progress, NatureCare Products aims to ensure that appropriate monitoring, review and reporting processes are in place in the area of risk management.

The objectives of risk management are to:

provide a structured basis for strategic, tactical and operational planning across NatureCare Products, enhancing its governance and corporate management processes;

enable NatureCare Products to effectively discharge its statutory and legislative financial management responsibilities;

provide a practical framework for managers to assess risks inherent in the decisions they take;

assist and motivate decision makers, at all levels, to make good and proactive management decisions that do not expose NatureCare Products to unacceptable levels of risk of unfavourable events occurring which adversely impact on the attainment of organisational goals

encourage and commit decision makers to identify sound business opportunities that will benefit NatureCare Products without exposing the company to unacceptable levels of risk;

minimise the risks of not identifying sound business opportunities

protect NatureCare Products from unacceptable costs or losses associated with its operations, while safeguarding its resources: its people, finance, property and reputation

assist NatureCare Products in achieving its strategic objectives

create an environment where all staff assume responsibility for risk management



Risk management is a whole of Organisation Process. It must first and foremost be managed at the corporate level as part of NatureCare Products’ good governance and corporate management processes. This process, coordinated and facilitated by the CEO, will involve the following key steps:

an annual risk identification exercise undertaken by the CEO. This involves assessment of the consequence and likelihood of risk, the development and/or review of individual risk management plans for the risks identified which exceed the NatureCare Products ‘s defined acceptable risks

wherever practicable, the inclusion of a Risk Management Assessment for all business activities

the incorporation of risk management into strategic planning, as well as operational and resource management planning processes

ensure risk management processes are incorporated into the quality assurance and improvement systems of NatureCare Products

clearly define and document escalation procedures for risk management

ensure a consistency in approach of responses to the same risk by different sections of NatureCare Products

test documented risk management procedures at appropriate intervals.


Risk management is a delegated line management responsibility. It is the responsibility of all line managers to continually monitor their areas of responsibility to ensure that risks are identified and managed. Line managers should ensure that a contribution is made to NatureCare Products risk management process, on behalf of their areas of responsibility, that identifies risks at all levels.

The sharing of documented responses to risks and knowledge of risk management principles and procedures will be fostered between line managers to ensure consistency across the NatureCare Products.

On an annual basis, line managers should review all activities to ensure that any unacceptable risk exposures are identified and managed at an appropriate level. All operational sections will be required to report on risk management as part of the NatureCare Products ‘s annual operational and resource management process.


Each employee or other stakeholder throughout NatureCare Products has a role in the risk management process and is responsible for actively participating in the risk management process as appropriate to their position within the organisation.

New Opportunities

In addition to the risks that already exist, NatureCare Products is continually exposed to new risks, particularly from the introduction of new activities.

New risks should be incorporated into the initial planning and assessment processes conducted prior to undertaking the activity and, subsequently, into the annual risk management assessment at the appropriate level(s) of activity and management. A risk management plan must then be developed.

The risk management process is a collaborative process whereby all managers and supervisors identify risks and then meet to discuss and evaluate risks.

To identify risks, the following questions must be considered:

Threats or opportunities in the current economic climate that may impact on the business area?

What could go wrong with the expansion in regard to the business area?

What issues relevant business area could prevent the expansion from occurring?

What is the worst-case scenario in terms of the business area and the expansion?


The principles of risk management shall be applied to all areas of risk exposure, insurable and non-insurable, and shall include, but not be limited to the following areas:

Insurable Risks Non-Insurable Risks

Insurable workplace health and safety risks

Insurable fraud and corruption prevention activities

Unauthorised use of resources which represent an insurable risk

Reputation and image as an insurable risk

Fire prevention measures and security precautions

Property loss and damage

Computer security

Professional negligence

Other liability exposures

Legal liability

Non-insurable workplace health and safety risks

Non-insurable fraud and corruption prevention activities

Unauthorised use of resources which represent a non-insurable risk

Reputation and image as a non-insurable risk

Crisis contingency planning and disaster recovery

Accounting controls that are not cost effective

Loss of key staff and intellectual property

Management system inadequacies and poor work quality

Failure or disruption of a major income source or investment

Risk assessment

For all risks the business elects to manage, the likelihood of each risk occurring must be estimated. Risk likelihood must be calculated by taking the average of at least two stakeholder estimations. This must be done using the following scale:

Rare 1
Unlikely 2
Likely 3
Very likely 4


Similarly, the risk impact must be calculated by taking the average of at least two stakeholder estimations using the following scale:

Minor 1
Moderate 2
significant 3
Catastrophic 4

Risk will be prioritised using the risk matrix:


Extreme and high risks should receive high priority.

Moderate risks should receive medium priority.

Low and very low risks should receive low priority.


The CEO will regularly monitor and review the progress being made in developing an appropriate culture of risk management and the effective implementation of risk management strategies throughout the organisation.


The CEO will ensure that, through its monitoring, review and reporting functions, NatureCare Products maintains a consistent approach to its assessment of acceptable risk.


Each stage of the risk management process shall be appropriately documented. The extent of documentation required is dependent on the nature of the risk. Documentation will be controlled, and become part of an auditable quality management process. Risk registers must contain:


potential outcomes



calculated risk




A representation and compliance statement should be provided by each manager as formal acknowledgement of their responsibility to comply with risk management policies and procedures.

Each employee should have included in their Position Description a responsibility for risk management, and Annual Performance Appraisals should include an appropriate assessment thereof.

Staff Development

Management shall ensure that staff have available to them appropriate information and training opportunities in risk management as appropriate to their position and role within NatureCare Products.


Internal Communication Policy and Procedures


NatureCare aims to enhance and streamline communications (internal and external) to reinforce the vision and strategic priorities. As such, we will continue to develop and trial new communication platforms, channels, and tools to improve information sharing and collaboration between all staff members.

This policy is to be implemented in a way that ensures compliance with relevant legislative requirements and standards of best practice.

NatureCare expects that staff will use the channels and for business purposes only and comply with all relevant policies and procedures, the Code of Conduct.

Communication channels

NatureCare has a number of internal communication channels available, including:

Channel Purpose
Project or action plans All plans should be communicated verbally to those responsible for steps in the plan. Action plans must be updated to show completion of each action/process or task.
Executive team meetings Information relevant to all line managers should be discussed at the weekly executive team meeting and a summary report of the issue provided to each line manager. (If urgent, an email should be sent instead).
Team meetings Information relevant to a specific team should be discussed at the weekly team meeting (If urgent, an email should be sent or a telephone call made instead).
Staff bulletin This contains Information from the executive to staff which is important and relevant to their interests, including training, employment vacancies and important announcements.

Contributions for the Staff Bulletin must be approved in advance by the contributor’s relevant manager before being sent to the communications officer for review and inclusion.

Staff surveys These are used to gather information and feedback from all staff members. Surveys should be sent to staff via email link.
NatureCare intranet The intranet provides important information for staff in an easily accessible location.

The intranet is to be used for conveying information which is important and relevant from the executive team to staff. It is the responsibility of the person contributing the content to ensure the content is factually correct. All contributions must be approved in advance by the contributor’s relevant manager.

Enterprise social networks (e.g. Yammer, Facebook) These may be used by groups of staff to collaborate and communicate on projects online (e.g. to share and comment on work-related ideas, news and activities). Personal use of these platforms may not be used during work hours. Use of these networks must comply with the Social Media Policy.
All Staff emails Emails are used for messages to and between staff. Staff are required to read all their work-related emails.
Email distribution lists Email distribution lists may only be used by the executive team and should adhere to the Privacy policy.


Procurement Policy and Procedures


This policy outlines how NatureCare manages its purchasing activities to maximise value, minimise cost and support company strategies.

The policy applies to all employees who have the delegated authority to procure goods, services and/or works on behalf of the company.

For the purpose of this Policy, the term supplier includes all suppliers, contractors and consultants engaged to provide goods, services and/or works to the company.

Procurement Practices

The procurement of goods, services and/or works must be consistent with the Health and Safety Policy.

All procurement activities must take into consideration the environmental impact and value for money over the whole-of-life of the goods and/or services.

Consideration needs to be given to ongoing operational costs including the use of water and energy, greenhouse performance, disposal, recyclability and other relevant factors.

CEO holds the overall responsibility for procurement, including compliance and drives business initiatives that help manage risk, control optimal spend, achieve vendor consolidation and cost efficiency.

The authority to approve expenditure must be in accordance with the company’s Delegation and Sub-Delegation of Authority and limited to the cost centres and/or activities within control of the position.

Procurement activities should be delivered or overseen by the position or Business Unit with the appropriate expertise in that field.

Procurement Principles:

Employees should first check if the goods and/or services can be provided through one of the company’s current preferred or contracted suppliers, or a supplier that has already been set up to do business with the company.

For one-off or simple price-based purchases with a supplier, credit cards are a low cost and efficient means of purchasing, rather than setting up a new supplier in the finance system. Employees should confirm with the supplier that a credit card is an acceptable method of payment, prior to committing the company to the purchase.

The aggregate spend over the year should be considered – if the procurement is for repeated volumes, a fixed term contract should be negotiated to secure favourable price, service and conditions over an extended term.

Records that are created or received during the procurement process should be maintained in line with the company’s current document and records management practices and systems.

Sound judgement and discretion should be exercised in determining the most appropriate sourcing strategies.

The purchase value will determine the bidding process:

Value <$2000 $2000 – $5000 $5000 – $15000 $15000 – $30000 >$30000
Method Direct purchasing Written quote More than one written quote 3 or more written quotes Proposal or tender required
Approval Team leader Team manager Department manager Senior executive CEO